---
title: AWS
sidebarTitle: AWS
---

import Overview from "/snippets/overview.mdx"
import PreBuiltTooling from "/snippets/generated/aws/PreBuiltTooling.mdx"
import PreBuiltUseCases from "/snippets/generated/aws/PreBuiltUseCases.mdx"

<Overview />
<PreBuiltTooling />
<PreBuiltUseCases />

## Access requirements
| Pre-Requisites | Status | Comment|
| - | - | - |
| Paid dev account | ✅ Not required | Free, self-signup for an [AWS account](https://portal.aws.amazon.com/billing/signup). |
| Paid test account | ✅ Not required | Free tier is sufficient for testing. |
| Partnership | ✅ Not required | |
| App review | ✅ Not required | |
| Security audit | ✅ Not required | |


## Setup guide

AWS offers multiple authentication methods. This guide covers two main approaches:

### AWS IAM (Basic Auth)

<Steps>
  <Step title="Create an AWS account">
    If you don't already have one, sign up for an [AWS account](https://portal.aws.amazon.com/billing/signup).
  </Step>
  <Step title="Create an IAM user">
    1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/).
    2. Navigate to the IAM service by searching for "IAM" in the search bar.
    3. In the left navigation pane, choose **Users**, then **Create user**.
    4. Enter a user name and select **Next**.
    5. On the permissions page, select **Attach policies directly**.
    6. Search for and select the policies that grant the necessary permissions for your integration. For example, you might need `AmazonS3ReadOnlyAccess` for S3 access.
    7. Choose **Next**, review your choices, and then select **Create user**.
  </Step>
  <Step title="Create access keys">
    1. From the list of users, select the user you just created.
    2. Select the **Security credentials** tab.
    3. Under **Access keys**, choose **Create access key**.
    4. Select **Application running outside AWS** as the use case, then click **Next**.
    5. (Optional) Add a description tag, then click **Create access key**.
    6. On the final page, you'll see your **Access key ID** and **Secret access key**. Make sure to download the .csv file or copy these values, as you won't be able to view the secret access key again.
  </Step>
  <Step title="Configure your integration in Nango">
    When setting up your AWS IAM integration in Nango:
    
    - Use your **Access key ID** as the username
    - Use your **Secret access key** as the password
    - Specify the AWS region in your connection configuration (e.g., `us-east-1`)
  </Step>
  <Step title="Next">
    Follow the [_Quickstart_](/getting-started/quickstart).
  </Step>
</Steps>

### AWS Cognito (OAuth 2.0)

<Steps>
  <Step title="Create an AWS account">
    If you don't already have one, sign up for an [AWS account](https://portal.aws.amazon.com/billing/signup).
  </Step>
  <Step title="Create a Cognito User Pool">
    1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/).
    2. Navigate to the Amazon Cognito service by searching for "Cognito" in the search bar.
    3. Choose **User Pools** from the left navigation pane.
    4. Select **Create user pool**.
    5. Choose the authentication providers you want to use. For OAuth integration, select **Cognito user pool** as the provider.
    6. Configure the security requirements, including password policy and MFA settings.
    7. Configure sign-up experience and required attributes.
    8. Configure message delivery for verification emails and SMS.
    9. Integrate your app by giving it a name and configuring the app client.
    10. Review all settings and create the user pool.
  </Step>
  <Step title="Configure the App Client">
    1. After creating the user pool, navigate to the **App integration** tab.
    2. Under **App clients and analytics**, select **Create app client**.
    3. Choose **Confidential client** for server-side applications.
    4. Enter a name for your app client.
    5. Set the **Refresh token expiration** as needed (default is 30 days).
    6. Under **Allowed callback URLs**, add `https://api.nango.dev/oauth/callback`.
    7. Select the **OAuth 2.0 grant types** you need (typically Authorization code grant).
    8. Under **OpenID Connect scopes**, select the scopes your application requires.
    9. Choose **Create app client**.
  </Step>
  <Step title="Configure a Domain">
    1. Still in the **App integration** tab, under **Domain**, choose **Actions** and then **Create custom domain** or **Create Cognito domain**.
    2. For a Cognito domain, enter a domain prefix.
    3. For a custom domain, enter your domain name and upload an SSL certificate.
    4. Choose **Create**.
  </Step>
  <Step title="Configure OAuth Settings">
    1. In the **App integration** tab, under **Hosted UI**, choose **Edit**.
    2. Configure the identity providers you want to use.
    3. Set the callback URL to `https://api.nango.dev/oauth/callback`.
    4. Select the OAuth scopes you need.
    5. Choose **Save changes**.
  </Step>
  <Step title="Obtain Client Credentials">
    1. Navigate to the **App clients and analytics** section.
    2. Select your app client from the list.
    3. Note your **Client ID**.
    4. Click **Show client secret** to view and copy your client secret.
  </Step>
  <Step title="Configure your integration in Nango">
    When setting up your AWS Cognito integration in Nango:
    
    - Use your **Client ID** and **Client Secret**
    - For the OAuth authorization URL, use: `https://{your-domain}.auth.{region}.amazoncognito.com/oauth2/authorize`
    - For the token URL, use: `https://{your-domain}.auth.{region}.amazoncognito.com/oauth2/token`
    - Replace `{your-domain}` with your Cognito domain prefix and `{region}` with your AWS region (e.g., `us-east-1`)
  </Step>
  <Step title="Next">
    Follow the [_Quickstart_](/getting-started/quickstart).
  </Step>
</Steps>

### Creating a new connection
- To create a new connection in Nango for AWS IAM, you'll need an Access Key ID and a Secret Access Key. Use these to set up your connection, with the Access Key ID as the username and the Secret Access Key as the password. For more details on generating these keys, visit [Create an access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-key-self-managed.html#Using_CreateAccessKey).
- With this you can now use your basic auth credentials to sign you requests as follows. For more on how to sign your requests, please vist [AWS signature version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html)

```js
    if ('username' in connection.credentials && 'password' in connection.credentials && 'region' in connection.connection_config) {
        const accessKeyId = connection.credentials['username'];
        const secretAccessKey = connection.credentials['password'];
        const region = connection.connection_config['region'];
        const host = 'iam.amazonaws.com';

        const date = new Date().toISOString().replace(/[:-]|\.\d{3}/g, '');
        const payloadHash = crypto.createHash('sha256').update('').digest('hex');
        const canonicalHeaders = `host:${host}\nx-amz-date:${date}\n`;
        const signedHeaders = 'host;x-amz-date';

        const canonicalRequest = `${method}\n${path}\n${querystring}\n${canonicalHeaders}\n${signedHeaders}\n${payloadHash}`;
        const credentialScope = `${date.substr(0, 8)}/${region}/${service}/aws4_request`;
        const stringToSign = `AWS4-HMAC-SHA256\n${date}\n${credentialScope}\n${crypto.createHash('sha256').update(canonicalRequest).digest('hex')}`;

        const getSignatureKey = (key: string, dateStamp: string, regionName: string, serviceName: string) => {
            const kDate = crypto.createHmac('sha256', `AWS4${key}`).update(dateStamp).digest();
            const kRegion = crypto.createHmac('sha256', kDate).update(regionName).digest();
            const kService = crypto.createHmac('sha256', kRegion).update(serviceName).digest();
            return crypto.createHmac('sha256', kService).update('aws4_request').digest();
        };

        const signingKey = getSignatureKey(secretAccessKey, date.substr(0, 8), region, service);
        const signature = crypto.createHmac('sha256', signingKey).update(stringToSign).digest('hex');

        const authorizationHeader = `AWS4-HMAC-SHA256 Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;

        return { authorizationHeader, date };
```


<Tip>Need help getting started? Get help in the [community](https://nango.dev/slack).</Tip>


## Useful links

-   [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html)
-   [Creating IAM Users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html)
-   [Managing Access Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
-   [IAM API Reference](https://docs.aws.amazon.com/IAM/latest/APIReference/welcome.html)
-   [Amazon Cognito User Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-as-user-directory.html)
-   [Setting Up the Hosted UI](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html)
-   [OAuth 2.0 Token Endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html)
-   [Cognito Service Endpoints](https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html)


<Note>Contribute useful links by [editing this page](https://github.com/nangohq/nango/tree/master/docs/integrations/all/aws.mdx)</Note>

## Common Scopes

You can find the list of supported scopes in [scopes documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html)

## API gotchas

_None yet, add yours!_

<Note>Contribute API gotchas by [editing this page](https://github.com/nangohq/nango/tree/master/docs/integrations/all/aws.mdx)</Note>
